OWASP Enterprise Application Security Project

Main

Objective

The OWASP Enterprise Application Security Project (OWASP-EAS) exists to provide guidance to people involved in the procurement, design, implementation or sign-off of large scale (i.e. 'Enterprise') applications.

The purpose of the project

Enterprise applications security is one of the major topics in overall security area because those applications control money and resources, and any security violation can result in significant money loss. The purpose of this project is to aware people about enterprise application security problems and create guidelines and tools for enterprise application security assessment.

Project Roadmap

Statistics

Objective

This document is the first statistics report which will be repeated annually including tendencies and changes in Enterprise Business Application Security area.

Purpose

This document will show the results of statistical research in the Business Application security area made by ERPscan Research Group and OWASP-EAS project. The purpose of this document is to raise awareness about Enterprise Business Application security by showing the current number of vulnerabilities found in those applications, how critical those are and what tendences we see.

Intro

Business applications like ERP, CRM, SRM, and others are one of the major topics within the field of computer security as these applications store business data, and any vulnerability in these applications will cause a significant monetary loss. Nonetheless, people still do not pay much attention to Enterprise Business Application, judging by our and our collegues' research and assessment data.
Business applications are very large and complex systems that consist of different components such as Database server, Front-end, Web server, Application server and other parts. Also, those systems rely on different hardware and software that can have their own vulnerabilities.
Overall security of an Enterprise Business Application consist of different layers, such as:
• Network architecture security </br>
• OS security </br>
• Database security </br>
• Application security </br>
• Front-end security </br>

Every described layer may have its own vulnerabilities that can give attacker full access to business data even if other layers are completely secured. In this document, all the popular applications from described levels and their vulnerabilities will be shown. The purpose of this document is to increase awareness of Business Application security.

Authors

Development of guides

Objective

This document will describe different areas of program vulnerabilities that can be found in Enterprise Business applications and ERP systems.

Purpose

The purpose of this document is to increase awareness of the developers of Enterprise Business software. Here, we will collect top software vulnerabilities in server side and frontend side that can exist in Business Applications.

Intro

There are many different languages and technologies that can be used to develop business applications and write costom code. Here, we will try to categorize it first by dividing into Server and Client side. Top 10 list of vulnerabilities for both areas will be shown.

Main

Crosslinks to CWE SANS OWASP and risks with descriptions will be added soon.

Links

Authors

Implementation guides

Objective

This document will describe different areas of secure implementation of Enterprise Business Applications and ERP systems. Here, we will mainly focus on security architecture and configuration threats because program errors are well described in the "Software vulnerabilities" topic.

Purpose

The purpose of this document is to increase awareness of the administrators of Business Application security and help them to start a self-assessment of their systems and find the most critical violations.

Intro

Enterprise Business Applications (like ERP, it is any software system that has been designed to support and automate the business process of medium and large business) are very large systems that consist of different components such as Database server, Front-end, Web server, Application server and other parts. Also, those systems rely on different hardware and software that can have their own vulnerabilities. Every described layer may have its own vulnerabilities and misconfigurations that can give attacker full access to business data even if other layers are completely secured.

All the data was collected and categorized during our big practice of assessing the security of popular Business Applications such as SAP ERP, Oracle E-Business Suite, Oracle Peoplesoft, JD-Edwards and other less known or custom applications.

Main

Overall security of Enterprise Business Application consists of different layers, including:
• Network architecture security
• OS security
• Database security
• Application security
• Front-end security
In this document, we will describe top 10 violations on every layer of Enterprise Business Application that can be easily assessed and mitigated.

Links

Authors

Project About

PROJECT INFOWhat does this OWASP project offer you?

RELEASE(S) INFOWhat releases are available for this project?

what

is this project?

Name: OWASP Enterprise Application Security Project (home page)

Purpose: Enterprise applications security is one of the major topics in overall security area because those applications controls money and resources and every security violation can result a significant money loss. Purpose of this project is to aware people about enterprise application security problems and create a guideline for EA security assessment.